Massive Security Vulnerability In HTC Android Devices (EVO 3D, 4G, Thunderbolt, Other

Discussion in 'Droid Forums Member News Depot' started by n0yxl, Oct 2, 2011.

  1. n0yxl
    Offline

    n0yxl Member

    Joined:
    Mar 12, 2010
    Messages:
    232
    Likes Received:
    0
    Trophy Points:
    16
    Ratings:
    +0
    http://www.androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-android-devices-evo-3d-4g-thunderbolt-others-exposes-phone-numbers-gps-sms-emails-addresses-much-more/

    I am quite speechless right now.
    Justin Case and I have spent all day together with Trevor Eckhart (you may remember him as TrevE of DamageControl and Virus ROMs) looking into Trev's findings deep inside HTC's latest software installed on such
    phones
    as EVO 3D, EVO 4G, Thunderbolt, and others.
    These results are not pretty. In fact, they expose such ridiculously frivolous doings, which HTC has no one else to blame but itself, that the data-leaking Skype vulnerability Justin found earlier this year pales in comparison. Without further ado, let me break things down.
    The Vulnerability

    In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.
    That is not the case. What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a singleandroid.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:
    • the list of user accounts, including email addresses and sync status for each
    • last known network and GPS locations and a limited previous history of locations
    • phone numbers from the phone log
    • SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
    • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses,
      phone
      numbers, and other private info
    Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of emails.
    But that's not all. After looking at the huge amount of
    data
    (the log file was 3.5MB on my EVO 3D) that is vulnerable to apps exploiting this vulnerability all day, I found the following is also exposed (granted, some of which may be already available to any app via the Android APIs):

    • active notifications in the notification bar, including notification text
    • build number, bootloader version, radio version, kernel version
    • network info, including IP addresses
    • full memory info
    • CPU info
    • file system info and free space on each partition
    • running processes
    • current snapshot/stacktrace of not only every running process but every running thread
    • list of installed apps, including permissions used, user ids, versions, and more
    • system properties/variables
    • currently active broadcast listeners and history of past broadcasts received
    • currently active content providers
    • battery info and status, including charging/wake lock history
    • and more
    Let me put it another way. By using only the INTERNET permission, any
    app
    can also gain at leastthe following:


    ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location
    ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location
    ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands
    ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks
    BATTERY_STATS Allows an application to collect battery statistics
    DUMP Allows an application to retrieve state dump information from system services.
    GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service
    GET_PACKAGE_SIZE Allows an application to find out the space used by any package.
    GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.
    READ_LOGS Allows an application to read the low-level system log files.
    READ_SYNC_SETTINGS Allows applications to read the sync settings
    READ_SYNC_STATS Allows applications to read the sync stats



    Theoretically, it may be possible to clone a device using only a small subset of the information leaked here.

    I'd like to reiterate that the only reason the data is leaking left and right is because HTC set their snooping environment up this way. It's like leaving your keys under the mat and expecting nobody who finds them to unlock the door. For a more technical explanation, see the section below.
    Additionally, and the implications of this could end up being insignificant, yet still very suspicious, HTC also decided to add an app called androidvncserver.apk to their
    Android
    OS installations. If you're not familiar with the definition of VNC, it is basically a remote access server. On the EVO 3D, it was present from the start and updated in the latest OTA. The app doesn't get started by default, but who knows what and who can trigger it and potentially get access to your phone remotely? I'm sure we'll know soon enough - HTC, care to tell us what it's doing here?

    Technical Details

    In addition to Carrier IQ (CIQ) that was planted by HTC/Sprint and prompted all kinds of questions a while ago, HTC also included another app called HtcLoggers.apk. This app is capable of collecting all kinds of data, as I mentioned above, and then... provide it to anyone who asks for it by opening a local port. Yup, not just HTC, but anyone who connects to it, which happens to be any app with the INTERNET permission. Ironically, because a given app has the INTERNET permission, it can also send all the data off to a remote
    server
    , killing 2 birds with one stone permission.

    In fact, HtcLogger has a whole interface which accepts a variety of commands (such as the handy:help: that shows all available commands). Oh yeah - and no login/password are required to access said interface.
    Furthermore, it's worth noting that HtcLogger tries to use root to dump even more data, such as WiMax state, and may attempt to run something called htcserviced - at least this code is present in the source:

    /system/xbin/su 0 /data/data/com.htc.loggers/bin/htcserviced


    HtcLoggers is only one of the services that is collecting data, and we haven't even gotten to the bottom of what else it can do, let alone what the other services are capable of doing. But hey - I think you'll agree that this is already more than enough.
    [​IMG]
    Proof Of Concept App

    In order to help showcase his findings, TrevE created an open-sourced POC (proof of concept) of a simple app that requests a single INTERNET permission, then shows that it can gain access to all the data I mentioned above. I ran the app on an unrooted EVO 3D - see the screenshots below or try it out yourself.
    There is also a video walkthrough below the screenshots, shot by Trevor himself.
    Proof of concept source and apk:
    [​IMG] [​IMG] [​IMG]
    [​IMG] [​IMG] [​IMG]
    Patching The Vulnerability

    ... is not possible without either root or an update from HTC. If you do root, we recommend immediate removal of Htcloggers (you can find it at /system/app/HtcLoggers.apk).
    Stay safe and don't download suspicious apps. Of course, even quality-looking apps can silently capture and send off this data, but the chance of that is lower.
    Affected Phones

    Note: Only stock Sense firmware is affected - if you're running an AOSP-based ROM like CyanogenMod, you are safe.
    HTC's Response

    After finding the vulnerability, Trevor contacted HTC on September 24th and received no real response for five
    business
    days, after which he released this information to the public (as per RF full disclosure Policy). In my experience, lighting fire under someone's ass in public makes things move a whole lot faster, which is why responsible disclosure is a norm in the security industry. (This is where we come in.)

    As far as we know, HTC is now looking into the issue, but no statement has been issued yet.
    HTC, you got yourself into this mess, and it's now up to you to climb out of the hole as fast as possible, in your own interest.
    The ball is in your court.
    Credit

    Huge thank you to Trevor Eckhart who found the vulnerability and Justin Case for working with us today digging deeper.


    Android News, Apps, Games, Phones, Tablets - Android Police
     
  2. wcjeep
    Offline

    wcjeep Member

    Joined:
    Aug 23, 2010
    Messages:
    580
    Likes Received:
    18
    Trophy Points:
    18
    Location:
    Earth
    Ratings:
    +18
    thanks for the heads up. I sent this to my HTC friends.
     
  3. ambrown
    Offline

    ambrown Member

    Joined:
    Jun 19, 2011
    Messages:
    483
    Likes Received:
    11
    Trophy Points:
    18
    Ratings:
    +11
    If your phone is rooted can you delete the logger or would that do other irreparable damage?

    Sent from my Droid Incredible on 2.3.4 using the DroidForums app
     
  4. kodiak799
    Offline

    kodiak799 Silver Member

    Joined:
    Feb 20, 2010
    Messages:
    4,961
    Likes Received:
    283
    Trophy Points:
    198
    Ratings:
    +293
    Hmmm...Perhaps I have a false sense of security with all the banking and other sensitive stuff I do on my computer. But I don't touch that stuff on my phone, for reasons such as this among other things. Besides, unless you have no computer and no other internet access, there's really no need or reason to undertake such truly sensitive activity on your phone. Maybe I could make an argument for trading stocks, but only in an emergency situation where waiting a few hours or a day after bad news would cost you a lot of money.
     
  5. Arkbird
    Offline

    Arkbird DF News Team Premium Member

    Joined:
    Oct 26, 2010
    Messages:
    1,748
    Likes Received:
    62
    Trophy Points:
    78
    Location:
    Northern Virginia/Washington DC
    Ratings:
    +62
    I agree. There are just some things you shouldn't do on your phone. Anything that deals with your money and banking, or personal info like your social security number. All that is best done on your computer through your own secured network. Still sucks to see all these HTC phones with vulnerabilities. I'm glad I went Moto.
     
  6. nikecar
    Offline

    nikecar Active Member

    Joined:
    Jun 28, 2011
    Messages:
    1,238
    Likes Received:
    19
    Trophy Points:
    38
    Ratings:
    +19
    Agree. Although I am guilty of calling the moneyline voice system for balances.

    Sent from someplace, and with something that you need not worry about.
     
  7. tc1
    Offline

    tc1 Member

    Joined:
    Nov 11, 2009
    Messages:
    591
    Likes Received:
    4
    Trophy Points:
    18
    Ratings:
    +4
    With the horrible battery, 2 failed massive updates that actually break your phone....now this?

    No more HTC products for me ever again.

    Sent from my ADR6400L using DroidForums
     
  8. Arkbird
    Offline

    Arkbird DF News Team Premium Member

    Joined:
    Oct 26, 2010
    Messages:
    1,748
    Likes Received:
    62
    Trophy Points:
    78
    Location:
    Northern Virginia/Washington DC
    Ratings:
    +62
    Well I do have text banking notifications set up so I can text a number to check my balance but that's set up through my bank and not on my phone.
     
  9. Dsiiiviper4
    Offline

    Dsiiiviper4 Member

    Joined:
    Sep 22, 2011
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Ratings:
    +0
    Isthis just for HTC devices? Or are Droid x users vulnerable also?

    Sent from my DROIDX using Tapatalk
     
    Last edited: Nov 28, 2011
Search tags for this page
/system/xbin/su 0 /data/data/com.htc.loggers/bin/htcserviced
,
how do i check vulnerability on htc evo 3d
,

how to clone htc thunderbolt